Trust Assessment
ralph-loop received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Command Injection via RALPH_FLAGS environment variable, Command Injection via RALPH_TEST environment variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via RALPH_FLAGS environment variable The `RALPH_FLAGS` environment variable is directly interpolated into the command executed for the AI agent (e.g., `codex exec $CLI_FLAGS`, `claude --print $CLI_FLAGS`). An attacker can inject arbitrary shell commands by setting `RALPH_FLAGS` to include shell metacharacters, leading to remote code execution. Sanitize or escape the `RALPH_FLAGS` variable before interpolation, or pass it as a single argument to the underlying CLI tool if it supports it. Alternatively, use an array to construct the command to prevent word splitting and globbing, e.g., `CMD=(codex exec "${CLI_FLAGS_ARRAY[@]}")`. | LLM | scripts/ralph.sh:40 | |
| CRITICAL | Command Injection via RALPH_TEST environment variable The `RALPH_TEST` environment variable, if set, is executed directly as a shell command using `bash -lc "$TEST_CMD"`. An attacker can inject arbitrary shell commands by setting `RALPH_TEST` to include shell metacharacters, leading to remote code execution. Avoid direct execution of user-controlled environment variables. If a test command must be configurable, consider a whitelist of allowed commands or a more secure execution mechanism that does not involve direct shell interpretation of arbitrary strings. | LLM | scripts/ralph.sh:169 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/endogen/monitored-ralph-loop/scripts/ralph.sh:90 | |
| MEDIUM | Potential Data Exfiltration via Log Tail in Notification The `notify` function base64 encodes the last 50 lines of the `ralph.log` file and includes it in the notification payload. If sensitive information (e.g., API keys, credentials, PII) is inadvertently written to this log file by the AI agent or other processes, it could be exfiltrated via the notification mechanism to the `openclaw` service or other configured endpoints. Review the logging practices to ensure no sensitive data is written to `ralph.log`. If sensitive data might be present, implement redaction or filtering before including log snippets in notifications. Alternatively, remove the `log_tail` from notifications or restrict its inclusion to trusted, internal debugging channels only. | LLM | scripts/ralph.sh:80 |
Scan History
Embed Code
[](https://skillshield.io/report/7fdc89e8a68b0ff2)
Powered by SkillShield